Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Having problems with Dr Web


  • This topic is locked This topic is locked
6 replies to this topic

#1 StanZMan

StanZMan

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 24 November 2010 - 08:02 AM

I appologize for posting this thread to two different boards. I was not sure which to use.

My PC was infected with the Backdoor:win32/cycbot.b Trojan and I found a fix in one of the treads posted here which suggested running the DR Web Cleanit and then MBAM. My operating system is XP pro sp3. I have a wireless connection but also have the ability to hard wire if necessary.
The specific thread I was following is "how do i remove Backdoor:Win32/Cycbot."
I am running this program in safe mode as instructed.
Everything was moving along fine until the scan finished.
The directions in the thread say:
•When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.

•Click Select All, then choose Cure > Move incurable.
This is where the problem occurs, I click the select all button and it goes to Grey, but none of the files are selected and the cure button is still grayed out.
So the program is able to identify the infected files (3200+), cure some and move others, but then I cannot proceed with any other actions.
I did try rebooting the system and complete the MABM scan, which found and successfully removed items but I am still getting indications the computer is infected.
I tried running the Dr Web CleanIt in safe mode again and it identified nearly the same number of infected files.

Do you have any suggestions on what to do next?

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:33 PM

Posted 24 November 2010 - 12:06 PM

Hello ,we removed the other topic,thanks.

Run the MBAM scan and post that log and then run this.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


Rerun Drweb.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 StanZMan

StanZMan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 26 November 2010 - 07:24 PM

Thanks for the additional information. Unfortunately I am still experiencing the same issue with drweb.
I should probably explain that the desktop that has the virus will not connect to the internet (I have a good connection and successful pings but cannot access any pages) so I have been using a flash drive to transfer programs (downloads) and log files back & forth.

I ran MBAM again and it identified several items: Log attached:

I then ran TDSS Killer and it found no items. I then tried DRweb again (twice - once in safe mode and once after a normal start up) and could not perform the Clean function as stated above.

The DR WEB does run in an "enhanced protection mode" if that makes any difference.

Any other recommendations are appreciated.


Log File From MABM:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5166

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/26/2010 8:21:21 AM
mbam-log-2010-11-26 (08-21-21).txt

Scan type: Full scan (C:\|)
Objects scanned: 235263
Time elapsed: 2 hour(s), 31 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 32

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Passwords.XGen) -> Data: c:\program files\microsoft\desktoplayer.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe) Good: (userinit.exe) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\User\DoctorWeb\Quarantine\A0009311.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Documents and Settings\User\DoctorWeb\Quarantine\A0001763.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Documents and Settings\User\DoctorWeb\Quarantine\A0002175.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Documents and Settings\User\DoctorWeb\Quarantine\A0002383.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Documents and Settings\User\DoctorWeb\Quarantine\cleansweep.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Documents and Settings\User\Local Settings\Temp\hpzmsi01Srv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Documents and Settings\User\Local Settings\Temp\hpzscr01Srv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Documents and Settings\User\Local Settings\Temp\hpdj00Srv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32Srv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverSrv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\IKernelSrv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\HP\Digital Imaging\bin\hpqSRMonSrv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\HP\Digital Imaging\bin\hpqtra08Srv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\HP\Digital Imaging\bin\HpqPsAplSrv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\hpzglu12Srv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpoapd01Srv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\HP\Digital Imaging\{342C7C88-D335-4bc2-8CF1-281857629CE2}\setup\hpzscr01Srv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\HP\HP Software Update\HPWUCliSrv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\HP\HP Software Update\HPWuSchd2Srv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\Internet Explorer\IEXPLORESrv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\Palm\HotsyncSrv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\QuickTime\QTTaskSrv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\Intuit\QuickBooks 2007\installSrv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\iTunes\iTunesHelperSrv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\Java\jre6\bin\jqsSrv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\Microsoft\DesktopLayer.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\Microsoft Office\Office12\OUTLOOKSrv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\Microsoft Office\Office12\WINWORDSrv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\Program Files\Windows Desktop Search\WindowsSearchSrv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\WINDOWS\system32\MsiExecSrv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\WINDOWS\system32\RunDll32Srv.exe (Spyware.Passwords.XGen) -> No action taken.
C:\WINDOWS\system32\regsvr32Srv.exe (Spyware.Passwords.XGen) -> No action taken.

Log File From TDSSKiller:

2010/11/26 18:57:00.0296 TDSS rootkit removing tool 2.4.9.0 Nov 26 2010 15:38:31
2010/11/26 18:57:00.0296 ================================================================================
2010/11/26 18:57:00.0296 SystemInfo:
2010/11/26 18:57:00.0296
2010/11/26 18:57:00.0296 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/26 18:57:00.0296 Product type: Workstation
2010/11/26 18:57:00.0296 ComputerName: LINDAPC
2010/11/26 18:57:00.0296 UserName: User
2010/11/26 18:57:00.0296 Windows directory: C:\WINDOWS
2010/11/26 18:57:00.0296 System windows directory: C:\WINDOWS
2010/11/26 18:57:00.0296 Processor architecture: Intel x86
2010/11/26 18:57:00.0296 Number of processors: 1
2010/11/26 18:57:00.0296 Page size: 0x1000
2010/11/26 18:57:00.0296 Boot type: Normal boot
2010/11/26 18:57:00.0296 ================================================================================
2010/11/26 18:57:00.0500 Initialize success
2010/11/26 18:57:04.0640 ================================================================================
2010/11/26 18:57:04.0640 Scan started
2010/11/26 18:57:04.0640 Mode: Manual;
2010/11/26 18:57:04.0640 ================================================================================

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:33 PM

Posted 26 November 2010 - 10:48 PM

Hello the first thing i must tell you is the malware found has stolen any personal info. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.


This can be a very serious infcetion
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Passwords.XGen) -> Data: c:\program files\microsoft\desktoplayer.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe) Good: (userinit.exe) -> No action taken.


As you have trouble with Drweb I feel it best to get a deeper look as you need to be certain this is off your PC.

Please go here....
Preparation Guide .

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:33 PM

Posted 26 November 2010 - 11:39 PM

For the internet connecion.. Try this--open control, internet options, connections tab, lan settings, uncheck the box next to "use proxy...."
OR
Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the enter key.

Reboot your system to complete the process.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 StanZMan

StanZMan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 28 November 2010 - 08:35 AM

I could not run the GMER. It caused the desktop to freeze up to the point I had to perform a hard boot. I did post to the malware removal topics per your prep guide but there was an issue witht he dss.scr log file being too big to attach ant is was not readable by my inexperiences mind. (I did attach an example in the malware removal topic).
I was able to reestablish the internet on that PC but I have since disabled the internet connection as a security precaution.
I look forward to other suggestions.

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:33 PM

Posted 28 November 2010 - 04:31 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic363522.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users